@aws-solutions-constructs/aws-lambda-opensearch 2.50.0 → 2.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/.eslintignore +2 -0
  2. package/.jsii +50 -5
  3. package/integ.config.json +7 -0
  4. package/lib/index.js +1 -1
  5. package/package.json +12 -11
  6. package/test/integ.lamopn-cluster-config.js +6 -2
  7. package/test/integ.lamopn-cluster-config.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  8. package/test/integ.lamopn-cluster-config.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  9. package/test/integ.lamopn-cluster-config.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  10. package/test/integ.lamopn-cluster-config.js.snapshot/cdk.out +1 -0
  11. package/test/integ.lamopn-cluster-config.js.snapshot/integ.json +12 -0
  12. package/test/integ.lamopn-cluster-config.js.snapshot/lamopn-cluster-config.assets.json +45 -0
  13. package/test/integ.lamopn-cluster-config.js.snapshot/lamopn-cluster-config.template.json +1295 -0
  14. package/test/integ.lamopn-cluster-config.js.snapshot/lamopnclusterconfigIntegDefaultTestDeployAssertD8012D1A.assets.json +19 -0
  15. package/test/integ.lamopn-cluster-config.js.snapshot/lamopnclusterconfigIntegDefaultTestDeployAssertD8012D1A.template.json +36 -0
  16. package/test/integ.lamopn-cluster-config.js.snapshot/manifest.json +323 -0
  17. package/test/integ.lamopn-cluster-config.js.snapshot/tree.json +1795 -0
  18. package/test/integ.lamopn-disabled-zone-awareness.js +6 -2
  19. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  20. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  21. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  22. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/cdk.out +1 -0
  23. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/integ.json +12 -0
  24. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopn-disabled-zone-awareness.assets.json +45 -0
  25. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopn-disabled-zone-awareness.template.json +1228 -0
  26. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopndisabledzoneawarenessIntegDefaultTestDeployAssert7E083B68.assets.json +19 -0
  27. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/lamopndisabledzoneawarenessIntegDefaultTestDeployAssert7E083B68.template.json +36 -0
  28. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/manifest.json +305 -0
  29. package/test/integ.lamopn-disabled-zone-awareness.js.snapshot/tree.json +1687 -0
  30. package/test/integ.lamopn-domain-arguments.js +5 -2
  31. package/test/integ.lamopn-domain-arguments.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  32. package/test/integ.lamopn-domain-arguments.js.snapshot/cdk.out +1 -0
  33. package/test/integ.lamopn-domain-arguments.js.snapshot/integ.json +12 -0
  34. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopn-domain-arguments.assets.json +32 -0
  35. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopn-domain-arguments.template.json +846 -0
  36. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopndomainargumentsIntegDefaultTestDeployAssert47534E1E.assets.json +19 -0
  37. package/test/integ.lamopn-domain-arguments.js.snapshot/lamopndomainargumentsIntegDefaultTestDeployAssert47534E1E.template.json +36 -0
  38. package/test/integ.lamopn-domain-arguments.js.snapshot/manifest.json +233 -0
  39. package/test/integ.lamopn-domain-arguments.js.snapshot/tree.json +1256 -0
  40. package/test/integ.lamopn-existing-vpc.js +12 -6
  41. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  42. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  43. package/test/integ.lamopn-existing-vpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  44. package/test/integ.lamopn-existing-vpc.js.snapshot/cdk.out +1 -0
  45. package/test/integ.lamopn-existing-vpc.js.snapshot/integ.json +12 -0
  46. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopn-existing-vpc.assets.json +48 -0
  47. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopn-existing-vpc.template.json +1571 -0
  48. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopnexistingvpcIntegDefaultTestDeployAssert4A7EE058.assets.json +19 -0
  49. package/test/integ.lamopn-existing-vpc.js.snapshot/lamopnexistingvpcIntegDefaultTestDeployAssert4A7EE058.template.json +36 -0
  50. package/test/integ.lamopn-existing-vpc.js.snapshot/manifest.json +419 -0
  51. package/test/integ.lamopn-existing-vpc.js.snapshot/tree.json +2207 -0
  52. package/test/integ.lamopn-no-arguments.js +5 -2
  53. package/test/integ.lamopn-no-arguments.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  54. package/test/integ.lamopn-no-arguments.js.snapshot/cdk.out +1 -0
  55. package/test/integ.lamopn-no-arguments.js.snapshot/integ.json +12 -0
  56. package/test/integ.lamopn-no-arguments.js.snapshot/lamopn-no-arguments.assets.json +32 -0
  57. package/test/integ.lamopn-no-arguments.js.snapshot/lamopn-no-arguments.template.json +846 -0
  58. package/test/integ.lamopn-no-arguments.js.snapshot/lamopnnoargumentsIntegDefaultTestDeployAssert4290A592.assets.json +19 -0
  59. package/test/integ.lamopn-no-arguments.js.snapshot/lamopnnoargumentsIntegDefaultTestDeployAssert4290A592.template.json +36 -0
  60. package/test/integ.lamopn-no-arguments.js.snapshot/manifest.json +233 -0
  61. package/test/integ.lamopn-no-arguments.js.snapshot/tree.json +1256 -0
  62. package/test/integ.lamopn-vpc-props.js +12 -6
  63. package/test/integ.lamopn-vpc-props.js.snapshot/asset.abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290/index.js +60 -0
  64. package/test/integ.lamopn-vpc-props.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  65. package/test/integ.lamopn-vpc-props.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  66. package/test/integ.lamopn-vpc-props.js.snapshot/cdk.out +1 -0
  67. package/test/integ.lamopn-vpc-props.js.snapshot/integ.json +12 -0
  68. package/test/integ.lamopn-vpc-props.js.snapshot/lamopn-vpc-props.assets.json +48 -0
  69. package/test/integ.lamopn-vpc-props.js.snapshot/lamopn-vpc-props.template.json +1287 -0
  70. package/test/integ.lamopn-vpc-props.js.snapshot/lamopnvpcpropsIntegDefaultTestDeployAssertC7FD49B0.assets.json +19 -0
  71. package/test/integ.lamopn-vpc-props.js.snapshot/lamopnvpcpropsIntegDefaultTestDeployAssertC7FD49B0.template.json +36 -0
  72. package/test/integ.lamopn-vpc-props.js.snapshot/manifest.json +323 -0
  73. package/test/integ.lamopn-vpc-props.js.snapshot/tree.json +1795 -0
  74. package/test/integ.lamopn-cluster-config.expected.json +0 -1153
  75. package/test/integ.lamopn-disabled-zone-awareness.expected.json +0 -1093
  76. package/test/integ.lamopn-domain-arguments.expected.json +0 -846
  77. package/test/integ.lamopn-existing-vpc.expected.json +0 -1602
  78. package/test/integ.lamopn-no-arguments.expected.json +0 -846
  79. package/test/integ.lamopn-vpc-props.expected.json +0 -1208
@@ -0,0 +1,1287 @@
1
+ {
2
+ "Resources": {
3
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A": {
4
+ "Type": "AWS::IAM::Role",
5
+ "Properties": {
6
+ "AssumeRolePolicyDocument": {
7
+ "Statement": [
8
+ {
9
+ "Action": "sts:AssumeRole",
10
+ "Effect": "Allow",
11
+ "Principal": {
12
+ "Service": "lambda.amazonaws.com"
13
+ }
14
+ }
15
+ ],
16
+ "Version": "2012-10-17"
17
+ },
18
+ "Policies": [
19
+ {
20
+ "PolicyDocument": {
21
+ "Statement": [
22
+ {
23
+ "Action": [
24
+ "logs:CreateLogGroup",
25
+ "logs:CreateLogStream",
26
+ "logs:PutLogEvents"
27
+ ],
28
+ "Effect": "Allow",
29
+ "Resource": {
30
+ "Fn::Join": [
31
+ "",
32
+ [
33
+ "arn:",
34
+ {
35
+ "Ref": "AWS::Partition"
36
+ },
37
+ ":logs:",
38
+ {
39
+ "Ref": "AWS::Region"
40
+ },
41
+ ":",
42
+ {
43
+ "Ref": "AWS::AccountId"
44
+ },
45
+ ":log-group:/aws/lambda/*"
46
+ ]
47
+ ]
48
+ }
49
+ }
50
+ ],
51
+ "Version": "2012-10-17"
52
+ },
53
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
54
+ }
55
+ ]
56
+ }
57
+ },
58
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359": {
59
+ "Type": "AWS::IAM::Policy",
60
+ "Properties": {
61
+ "PolicyDocument": {
62
+ "Statement": [
63
+ {
64
+ "Action": [
65
+ "ec2:AssignPrivateIpAddresses",
66
+ "ec2:CreateNetworkInterface",
67
+ "ec2:DeleteNetworkInterface",
68
+ "ec2:DescribeNetworkInterfaces",
69
+ "ec2:UnassignPrivateIpAddresses",
70
+ "xray:PutTelemetryRecords",
71
+ "xray:PutTraceSegments"
72
+ ],
73
+ "Effect": "Allow",
74
+ "Resource": "*"
75
+ }
76
+ ],
77
+ "Version": "2012-10-17"
78
+ },
79
+ "PolicyName": "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
80
+ "Roles": [
81
+ {
82
+ "Ref": "testlambdaopensearchLambdaFunctionServiceRole4722AB8A"
83
+ }
84
+ ]
85
+ },
86
+ "Metadata": {
87
+ "cfn_nag": {
88
+ "rules_to_suppress": [
89
+ {
90
+ "id": "W12",
91
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
92
+ }
93
+ ]
94
+ }
95
+ }
96
+ },
97
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC": {
98
+ "Type": "AWS::EC2::SecurityGroup",
99
+ "Properties": {
100
+ "GroupDescription": "lamopn-vpc-props/test-lambda-opensearch/ReplaceDefaultSecurityGroup-security-group",
101
+ "SecurityGroupEgress": [
102
+ {
103
+ "CidrIp": "0.0.0.0/0",
104
+ "Description": "Allow all outbound traffic by default",
105
+ "IpProtocol": "-1"
106
+ }
107
+ ],
108
+ "VpcId": {
109
+ "Ref": "Vpc8378EB38"
110
+ }
111
+ },
112
+ "Metadata": {
113
+ "cfn_nag": {
114
+ "rules_to_suppress": [
115
+ {
116
+ "id": "W5",
117
+ "reason": "Egress of 0.0.0.0/0 is default and generally considered OK"
118
+ },
119
+ {
120
+ "id": "W40",
121
+ "reason": "Egress IPProtocol of -1 is default and generally considered OK"
122
+ }
123
+ ]
124
+ }
125
+ }
126
+ },
127
+ "testlambdaopensearchLambdaFunction93FD38F7": {
128
+ "Type": "AWS::Lambda::Function",
129
+ "Properties": {
130
+ "Code": {
131
+ "S3Bucket": {
132
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-us-east-1"
133
+ },
134
+ "S3Key": "abbc4eca9e7ddabc31da3ce83159e6eee8e72e2c358ab8af0711044514c41290.zip"
135
+ },
136
+ "Environment": {
137
+ "Variables": {
138
+ "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1",
139
+ "DOMAIN_ENDPOINT": {
140
+ "Fn::GetAtt": [
141
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3",
142
+ "DomainEndpoint"
143
+ ]
144
+ }
145
+ }
146
+ },
147
+ "Handler": "index.handler",
148
+ "Role": {
149
+ "Fn::GetAtt": [
150
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
151
+ "Arn"
152
+ ]
153
+ },
154
+ "Runtime": "nodejs16.x",
155
+ "TracingConfig": {
156
+ "Mode": "Active"
157
+ },
158
+ "VpcConfig": {
159
+ "SecurityGroupIds": [
160
+ {
161
+ "Fn::GetAtt": [
162
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
163
+ "GroupId"
164
+ ]
165
+ }
166
+ ],
167
+ "SubnetIds": [
168
+ {
169
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
170
+ },
171
+ {
172
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
173
+ }
174
+ ]
175
+ }
176
+ },
177
+ "DependsOn": [
178
+ "testlambdaopensearchLambdaFunctionServiceRoleDefaultPolicy78C56359",
179
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
180
+ "VpcisolatedSubnet1RouteTableAssociationD259E31A",
181
+ "VpcisolatedSubnet2RouteTableAssociation25A4716F"
182
+ ],
183
+ "Metadata": {
184
+ "cfn_nag": {
185
+ "rules_to_suppress": [
186
+ {
187
+ "id": "W58",
188
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
189
+ },
190
+ {
191
+ "id": "W89",
192
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
193
+ },
194
+ {
195
+ "id": "W92",
196
+ "reason": "Impossible for us to define the correct concurrency for clients"
197
+ }
198
+ ]
199
+ }
200
+ }
201
+ },
202
+ "testlambdaopensearchCognitoUserPoolA09096F9": {
203
+ "Type": "AWS::Cognito::UserPool",
204
+ "Properties": {
205
+ "AccountRecoverySetting": {
206
+ "RecoveryMechanisms": [
207
+ {
208
+ "Name": "verified_phone_number",
209
+ "Priority": 1
210
+ },
211
+ {
212
+ "Name": "verified_email",
213
+ "Priority": 2
214
+ }
215
+ ]
216
+ },
217
+ "AdminCreateUserConfig": {
218
+ "AllowAdminCreateUserOnly": true
219
+ },
220
+ "EmailVerificationMessage": "The verification code to your new account is {####}",
221
+ "EmailVerificationSubject": "Verify your new account",
222
+ "SmsVerificationMessage": "The verification code to your new account is {####}",
223
+ "UserPoolAddOns": {
224
+ "AdvancedSecurityMode": "ENFORCED"
225
+ },
226
+ "VerificationMessageTemplate": {
227
+ "DefaultEmailOption": "CONFIRM_WITH_CODE",
228
+ "EmailMessage": "The verification code to your new account is {####}",
229
+ "EmailSubject": "Verify your new account",
230
+ "SmsMessage": "The verification code to your new account is {####}"
231
+ }
232
+ },
233
+ "UpdateReplacePolicy": "Retain",
234
+ "DeletionPolicy": "Retain"
235
+ },
236
+ "testlambdaopensearchCognitoUserPoolClient39C21D94": {
237
+ "Type": "AWS::Cognito::UserPoolClient",
238
+ "Properties": {
239
+ "AllowedOAuthFlows": [
240
+ "implicit",
241
+ "code"
242
+ ],
243
+ "AllowedOAuthFlowsUserPoolClient": true,
244
+ "AllowedOAuthScopes": [
245
+ "profile",
246
+ "phone",
247
+ "email",
248
+ "openid",
249
+ "aws.cognito.signin.user.admin"
250
+ ],
251
+ "CallbackURLs": [
252
+ "https://example.com"
253
+ ],
254
+ "SupportedIdentityProviders": [
255
+ "COGNITO"
256
+ ],
257
+ "UserPoolId": {
258
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
259
+ }
260
+ }
261
+ },
262
+ "testlambdaopensearchCognitoIdentityPool0B1FB311": {
263
+ "Type": "AWS::Cognito::IdentityPool",
264
+ "Properties": {
265
+ "AllowUnauthenticatedIdentities": false,
266
+ "CognitoIdentityProviders": [
267
+ {
268
+ "ClientId": {
269
+ "Ref": "testlambdaopensearchCognitoUserPoolClient39C21D94"
270
+ },
271
+ "ProviderName": {
272
+ "Fn::GetAtt": [
273
+ "testlambdaopensearchCognitoUserPoolA09096F9",
274
+ "ProviderName"
275
+ ]
276
+ },
277
+ "ServerSideTokenCheck": true
278
+ }
279
+ ]
280
+ }
281
+ },
282
+ "testlambdaopensearchUserPoolDomain98864920": {
283
+ "Type": "AWS::Cognito::UserPoolDomain",
284
+ "Properties": {
285
+ "Domain": {
286
+ "Fn::Join": [
287
+ "-",
288
+ [
289
+ "dmn",
290
+ {
291
+ "Fn::Select": [
292
+ 4,
293
+ {
294
+ "Fn::Split": [
295
+ "-",
296
+ {
297
+ "Fn::Select": [
298
+ 2,
299
+ {
300
+ "Fn::Split": [
301
+ "/",
302
+ {
303
+ "Ref": "AWS::StackId"
304
+ }
305
+ ]
306
+ }
307
+ ]
308
+ }
309
+ ]
310
+ }
311
+ ]
312
+ }
313
+ ]
314
+ ]
315
+ },
316
+ "UserPoolId": {
317
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
318
+ }
319
+ },
320
+ "DependsOn": [
321
+ "testlambdaopensearchCognitoUserPoolA09096F9"
322
+ ]
323
+ },
324
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44": {
325
+ "Type": "AWS::IAM::Role",
326
+ "Properties": {
327
+ "AssumeRolePolicyDocument": {
328
+ "Statement": [
329
+ {
330
+ "Action": "sts:AssumeRoleWithWebIdentity",
331
+ "Condition": {
332
+ "StringEquals": {
333
+ "cognito-identity.amazonaws.com:aud": {
334
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
335
+ }
336
+ },
337
+ "ForAnyValue:StringLike": {
338
+ "cognito-identity.amazonaws.com:amr": "authenticated"
339
+ }
340
+ },
341
+ "Effect": "Allow",
342
+ "Principal": {
343
+ "Federated": "cognito-identity.amazonaws.com"
344
+ }
345
+ }
346
+ ],
347
+ "Version": "2012-10-17"
348
+ },
349
+ "Policies": [
350
+ {
351
+ "PolicyDocument": {
352
+ "Statement": [
353
+ {
354
+ "Action": "es:ESHttp*",
355
+ "Effect": "Allow",
356
+ "Resource": {
357
+ "Fn::Join": [
358
+ "",
359
+ [
360
+ "arn:",
361
+ {
362
+ "Ref": "AWS::Partition"
363
+ },
364
+ ":es:",
365
+ {
366
+ "Ref": "AWS::Region"
367
+ },
368
+ ":",
369
+ {
370
+ "Ref": "AWS::AccountId"
371
+ },
372
+ ":domain/",
373
+ {
374
+ "Fn::Join": [
375
+ "-",
376
+ [
377
+ "dmn",
378
+ {
379
+ "Fn::Select": [
380
+ 4,
381
+ {
382
+ "Fn::Split": [
383
+ "-",
384
+ {
385
+ "Fn::Select": [
386
+ 2,
387
+ {
388
+ "Fn::Split": [
389
+ "/",
390
+ {
391
+ "Ref": "AWS::StackId"
392
+ }
393
+ ]
394
+ }
395
+ ]
396
+ }
397
+ ]
398
+ }
399
+ ]
400
+ }
401
+ ]
402
+ ]
403
+ },
404
+ "/*"
405
+ ]
406
+ ]
407
+ }
408
+ }
409
+ ],
410
+ "Version": "2012-10-17"
411
+ },
412
+ "PolicyName": "CognitoAccessPolicy"
413
+ }
414
+ ]
415
+ }
416
+ },
417
+ "testlambdaopensearchIdentityPoolRoleMappingD8C765B1": {
418
+ "Type": "AWS::Cognito::IdentityPoolRoleAttachment",
419
+ "Properties": {
420
+ "IdentityPoolId": {
421
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
422
+ },
423
+ "Roles": {
424
+ "authenticated": {
425
+ "Fn::GetAtt": [
426
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
427
+ "Arn"
428
+ ]
429
+ }
430
+ }
431
+ }
432
+ },
433
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A": {
434
+ "Type": "AWS::IAM::Role",
435
+ "Properties": {
436
+ "AssumeRolePolicyDocument": {
437
+ "Statement": [
438
+ {
439
+ "Action": "sts:AssumeRole",
440
+ "Effect": "Allow",
441
+ "Principal": {
442
+ "Service": "es.amazonaws.com"
443
+ }
444
+ }
445
+ ],
446
+ "Version": "2012-10-17"
447
+ }
448
+ }
449
+ },
450
+ "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2": {
451
+ "Type": "AWS::IAM::Policy",
452
+ "Properties": {
453
+ "PolicyDocument": {
454
+ "Statement": [
455
+ {
456
+ "Action": [
457
+ "cognito-identity:DescribeIdentityPool",
458
+ "cognito-identity:GetIdentityPoolRoles",
459
+ "cognito-identity:SetIdentityPoolRoles",
460
+ "cognito-identity:UpdateIdentityPool",
461
+ "cognito-idp:AdminInitiateAuth",
462
+ "cognito-idp:AdminUserGlobalSignOut",
463
+ "cognito-idp:CreateUserPoolClient",
464
+ "cognito-idp:DeleteUserPoolClient",
465
+ "cognito-idp:DescribeUserPool",
466
+ "cognito-idp:DescribeUserPoolClient",
467
+ "cognito-idp:ListUserPoolClients",
468
+ "es:UpdateDomainConfig"
469
+ ],
470
+ "Effect": "Allow",
471
+ "Resource": [
472
+ {
473
+ "Fn::GetAtt": [
474
+ "testlambdaopensearchCognitoUserPoolA09096F9",
475
+ "Arn"
476
+ ]
477
+ },
478
+ {
479
+ "Fn::Join": [
480
+ "",
481
+ [
482
+ "arn:",
483
+ {
484
+ "Ref": "AWS::Partition"
485
+ },
486
+ ":cognito-identity:",
487
+ {
488
+ "Ref": "AWS::Region"
489
+ },
490
+ ":",
491
+ {
492
+ "Ref": "AWS::AccountId"
493
+ },
494
+ ":identitypool/",
495
+ {
496
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
497
+ }
498
+ ]
499
+ ]
500
+ },
501
+ {
502
+ "Fn::Join": [
503
+ "",
504
+ [
505
+ "arn:",
506
+ {
507
+ "Ref": "AWS::Partition"
508
+ },
509
+ ":es:",
510
+ {
511
+ "Ref": "AWS::Region"
512
+ },
513
+ ":",
514
+ {
515
+ "Ref": "AWS::AccountId"
516
+ },
517
+ ":domain/",
518
+ {
519
+ "Fn::Join": [
520
+ "-",
521
+ [
522
+ "dmn",
523
+ {
524
+ "Fn::Select": [
525
+ 4,
526
+ {
527
+ "Fn::Split": [
528
+ "-",
529
+ {
530
+ "Fn::Select": [
531
+ 2,
532
+ {
533
+ "Fn::Split": [
534
+ "/",
535
+ {
536
+ "Ref": "AWS::StackId"
537
+ }
538
+ ]
539
+ }
540
+ ]
541
+ }
542
+ ]
543
+ }
544
+ ]
545
+ }
546
+ ]
547
+ ]
548
+ }
549
+ ]
550
+ ]
551
+ }
552
+ ]
553
+ },
554
+ {
555
+ "Action": "iam:PassRole",
556
+ "Condition": {
557
+ "StringLike": {
558
+ "iam:PassedToService": "cognito-identity.amazonaws.com"
559
+ }
560
+ },
561
+ "Effect": "Allow",
562
+ "Resource": {
563
+ "Fn::GetAtt": [
564
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
565
+ "Arn"
566
+ ]
567
+ }
568
+ }
569
+ ],
570
+ "Version": "2012-10-17"
571
+ },
572
+ "PolicyName": "testlambdaopensearchCognitoDashboardConfigureRolePolicyC9C6A6A2",
573
+ "Roles": [
574
+ {
575
+ "Ref": "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A"
576
+ }
577
+ ]
578
+ }
579
+ },
580
+ "testlambdaopensearchOpenSearchDomainF9CCC3D3": {
581
+ "Type": "AWS::OpenSearchService::Domain",
582
+ "Properties": {
583
+ "AccessPolicies": {
584
+ "Statement": [
585
+ {
586
+ "Action": "es:ESHttp*",
587
+ "Effect": "Allow",
588
+ "Principal": {
589
+ "AWS": [
590
+ {
591
+ "Fn::GetAtt": [
592
+ "testlambdaopensearchCognitoAuthorizedRole58A1ED44",
593
+ "Arn"
594
+ ]
595
+ },
596
+ {
597
+ "Fn::GetAtt": [
598
+ "testlambdaopensearchLambdaFunctionServiceRole4722AB8A",
599
+ "Arn"
600
+ ]
601
+ }
602
+ ]
603
+ },
604
+ "Resource": {
605
+ "Fn::Join": [
606
+ "",
607
+ [
608
+ "arn:",
609
+ {
610
+ "Ref": "AWS::Partition"
611
+ },
612
+ ":es:",
613
+ {
614
+ "Ref": "AWS::Region"
615
+ },
616
+ ":",
617
+ {
618
+ "Ref": "AWS::AccountId"
619
+ },
620
+ ":domain/",
621
+ {
622
+ "Fn::Join": [
623
+ "-",
624
+ [
625
+ "dmn",
626
+ {
627
+ "Fn::Select": [
628
+ 4,
629
+ {
630
+ "Fn::Split": [
631
+ "-",
632
+ {
633
+ "Fn::Select": [
634
+ 2,
635
+ {
636
+ "Fn::Split": [
637
+ "/",
638
+ {
639
+ "Ref": "AWS::StackId"
640
+ }
641
+ ]
642
+ }
643
+ ]
644
+ }
645
+ ]
646
+ }
647
+ ]
648
+ }
649
+ ]
650
+ ]
651
+ },
652
+ "/*"
653
+ ]
654
+ ]
655
+ }
656
+ }
657
+ ],
658
+ "Version": "2012-10-17"
659
+ },
660
+ "ClusterConfig": {
661
+ "DedicatedMasterCount": 3,
662
+ "DedicatedMasterEnabled": true,
663
+ "InstanceCount": 2,
664
+ "ZoneAwarenessConfig": {
665
+ "AvailabilityZoneCount": 2
666
+ },
667
+ "ZoneAwarenessEnabled": true
668
+ },
669
+ "CognitoOptions": {
670
+ "Enabled": true,
671
+ "IdentityPoolId": {
672
+ "Ref": "testlambdaopensearchCognitoIdentityPool0B1FB311"
673
+ },
674
+ "RoleArn": {
675
+ "Fn::GetAtt": [
676
+ "testlambdaopensearchCognitoDashboardConfigureRole1F2B7B7A",
677
+ "Arn"
678
+ ]
679
+ },
680
+ "UserPoolId": {
681
+ "Ref": "testlambdaopensearchCognitoUserPoolA09096F9"
682
+ }
683
+ },
684
+ "DomainEndpointOptions": {
685
+ "EnforceHTTPS": true,
686
+ "TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
687
+ },
688
+ "DomainName": {
689
+ "Fn::Join": [
690
+ "-",
691
+ [
692
+ "dmn",
693
+ {
694
+ "Fn::Select": [
695
+ 4,
696
+ {
697
+ "Fn::Split": [
698
+ "-",
699
+ {
700
+ "Fn::Select": [
701
+ 2,
702
+ {
703
+ "Fn::Split": [
704
+ "/",
705
+ {
706
+ "Ref": "AWS::StackId"
707
+ }
708
+ ]
709
+ }
710
+ ]
711
+ }
712
+ ]
713
+ }
714
+ ]
715
+ }
716
+ ]
717
+ ]
718
+ },
719
+ "EBSOptions": {
720
+ "EBSEnabled": true,
721
+ "VolumeSize": 10
722
+ },
723
+ "EncryptionAtRestOptions": {
724
+ "Enabled": true
725
+ },
726
+ "EngineVersion": "OpenSearch_1.3",
727
+ "NodeToNodeEncryptionOptions": {
728
+ "Enabled": true
729
+ },
730
+ "SnapshotOptions": {
731
+ "AutomatedSnapshotStartHour": 1
732
+ },
733
+ "VPCOptions": {
734
+ "SecurityGroupIds": [
735
+ {
736
+ "Fn::GetAtt": [
737
+ "testlambdaopensearchReplaceDefaultSecurityGroupsecuritygroupB44718EC",
738
+ "GroupId"
739
+ ]
740
+ }
741
+ ],
742
+ "SubnetIds": [
743
+ {
744
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
745
+ },
746
+ {
747
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
748
+ }
749
+ ]
750
+ }
751
+ },
752
+ "Metadata": {
753
+ "cfn_nag": {
754
+ "rules_to_suppress": [
755
+ {
756
+ "id": "W28",
757
+ "reason": "The OpenSearch Service domain is passed dynamically as as parameter and explicitly specified to ensure that IAM policies are configured to lockdown access to this specific OpenSearch Service instance only"
758
+ },
759
+ {
760
+ "id": "W90",
761
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
762
+ }
763
+ ]
764
+ }
765
+ }
766
+ },
767
+ "testlambdaopensearchStatusRedAlarm1627144D": {
768
+ "Type": "AWS::CloudWatch::Alarm",
769
+ "Properties": {
770
+ "AlarmDescription": "At least one primary shard and its replicas are not allocated to a node. ",
771
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
772
+ "EvaluationPeriods": 1,
773
+ "MetricName": "ClusterStatus.red",
774
+ "Namespace": "AWS/ES",
775
+ "Period": 60,
776
+ "Statistic": "Maximum",
777
+ "Threshold": 1
778
+ }
779
+ },
780
+ "testlambdaopensearchStatusYellowAlarm57139CF0": {
781
+ "Type": "AWS::CloudWatch::Alarm",
782
+ "Properties": {
783
+ "AlarmDescription": "At least one replica shard is not allocated to a node.",
784
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
785
+ "EvaluationPeriods": 1,
786
+ "MetricName": "ClusterStatus.yellow",
787
+ "Namespace": "AWS/ES",
788
+ "Period": 60,
789
+ "Statistic": "Maximum",
790
+ "Threshold": 1
791
+ }
792
+ },
793
+ "testlambdaopensearchFreeStorageSpaceTooLowAlarm6A5E1E96": {
794
+ "Type": "AWS::CloudWatch::Alarm",
795
+ "Properties": {
796
+ "AlarmDescription": "A node in your cluster is down to 20 GiB of free storage space.",
797
+ "ComparisonOperator": "LessThanOrEqualToThreshold",
798
+ "EvaluationPeriods": 1,
799
+ "MetricName": "FreeStorageSpace",
800
+ "Namespace": "AWS/ES",
801
+ "Period": 60,
802
+ "Statistic": "Minimum",
803
+ "Threshold": 20000
804
+ }
805
+ },
806
+ "testlambdaopensearchIndexWritesBlockedTooHighAlarmD2E041A3": {
807
+ "Type": "AWS::CloudWatch::Alarm",
808
+ "Properties": {
809
+ "AlarmDescription": "Your cluster is blocking write requests.",
810
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
811
+ "EvaluationPeriods": 1,
812
+ "MetricName": "ClusterIndexWritesBlocked",
813
+ "Namespace": "AWS/ES",
814
+ "Period": 300,
815
+ "Statistic": "Maximum",
816
+ "Threshold": 1
817
+ }
818
+ },
819
+ "testlambdaopensearchAutomatedSnapshotFailureTooHighAlarm9A4D0B1F": {
820
+ "Type": "AWS::CloudWatch::Alarm",
821
+ "Properties": {
822
+ "AlarmDescription": "An automated snapshot failed. This failure is often the result of a red cluster health status.",
823
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
824
+ "EvaluationPeriods": 1,
825
+ "MetricName": "AutomatedSnapshotFailure",
826
+ "Namespace": "AWS/ES",
827
+ "Period": 60,
828
+ "Statistic": "Maximum",
829
+ "Threshold": 1
830
+ }
831
+ },
832
+ "testlambdaopensearchCPUUtilizationTooHighAlarmC4850758": {
833
+ "Type": "AWS::CloudWatch::Alarm",
834
+ "Properties": {
835
+ "AlarmDescription": "100% CPU utilization is not uncommon, but sustained high usage is problematic. Consider using larger instance types or adding instances.",
836
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
837
+ "EvaluationPeriods": 3,
838
+ "MetricName": "CPUUtilization",
839
+ "Namespace": "AWS/ES",
840
+ "Period": 900,
841
+ "Statistic": "Average",
842
+ "Threshold": 80
843
+ }
844
+ },
845
+ "testlambdaopensearchJVMMemoryPressureTooHighAlarmEFB09A7C": {
846
+ "Type": "AWS::CloudWatch::Alarm",
847
+ "Properties": {
848
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
849
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
850
+ "EvaluationPeriods": 1,
851
+ "MetricName": "JVMMemoryPressure",
852
+ "Namespace": "AWS/ES",
853
+ "Period": 900,
854
+ "Statistic": "Average",
855
+ "Threshold": 80
856
+ }
857
+ },
858
+ "testlambdaopensearchMasterCPUUtilizationTooHighAlarm124D5748": {
859
+ "Type": "AWS::CloudWatch::Alarm",
860
+ "Properties": {
861
+ "AlarmDescription": "Average CPU utilization over last 45 minutes too high. Consider using larger instance types for your dedicated master nodes.",
862
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
863
+ "EvaluationPeriods": 3,
864
+ "MetricName": "MasterCPUUtilization",
865
+ "Namespace": "AWS/ES",
866
+ "Period": 900,
867
+ "Statistic": "Average",
868
+ "Threshold": 50
869
+ }
870
+ },
871
+ "testlambdaopensearchMasterJVMMemoryPressureTooHighAlarmBC9524D3": {
872
+ "Type": "AWS::CloudWatch::Alarm",
873
+ "Properties": {
874
+ "AlarmDescription": "Average JVM memory pressure over last 15 minutes too high. Consider scaling vertically.",
875
+ "ComparisonOperator": "GreaterThanOrEqualToThreshold",
876
+ "EvaluationPeriods": 1,
877
+ "MetricName": "MasterJVMMemoryPressure",
878
+ "Namespace": "AWS/ES",
879
+ "Period": 900,
880
+ "Statistic": "Average",
881
+ "Threshold": 50
882
+ }
883
+ },
884
+ "Vpc8378EB38": {
885
+ "Type": "AWS::EC2::VPC",
886
+ "Properties": {
887
+ "CidrBlock": "172.168.0.0/16",
888
+ "EnableDnsHostnames": true,
889
+ "EnableDnsSupport": true,
890
+ "InstanceTenancy": "default",
891
+ "Tags": [
892
+ {
893
+ "Key": "Name",
894
+ "Value": "lamopn-vpc-props/Vpc"
895
+ }
896
+ ]
897
+ }
898
+ },
899
+ "VpcisolatedSubnet1SubnetE62B1B9B": {
900
+ "Type": "AWS::EC2::Subnet",
901
+ "Properties": {
902
+ "AvailabilityZone": {
903
+ "Fn::Select": [
904
+ 0,
905
+ {
906
+ "Fn::GetAZs": ""
907
+ }
908
+ ]
909
+ },
910
+ "CidrBlock": "172.168.0.0/18",
911
+ "MapPublicIpOnLaunch": false,
912
+ "Tags": [
913
+ {
914
+ "Key": "aws-cdk:subnet-name",
915
+ "Value": "isolated"
916
+ },
917
+ {
918
+ "Key": "aws-cdk:subnet-type",
919
+ "Value": "Isolated"
920
+ },
921
+ {
922
+ "Key": "Name",
923
+ "Value": "lamopn-vpc-props/Vpc/isolatedSubnet1"
924
+ }
925
+ ],
926
+ "VpcId": {
927
+ "Ref": "Vpc8378EB38"
928
+ }
929
+ }
930
+ },
931
+ "VpcisolatedSubnet1RouteTableE442650B": {
932
+ "Type": "AWS::EC2::RouteTable",
933
+ "Properties": {
934
+ "Tags": [
935
+ {
936
+ "Key": "Name",
937
+ "Value": "lamopn-vpc-props/Vpc/isolatedSubnet1"
938
+ }
939
+ ],
940
+ "VpcId": {
941
+ "Ref": "Vpc8378EB38"
942
+ }
943
+ }
944
+ },
945
+ "VpcisolatedSubnet1RouteTableAssociationD259E31A": {
946
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
947
+ "Properties": {
948
+ "RouteTableId": {
949
+ "Ref": "VpcisolatedSubnet1RouteTableE442650B"
950
+ },
951
+ "SubnetId": {
952
+ "Ref": "VpcisolatedSubnet1SubnetE62B1B9B"
953
+ }
954
+ }
955
+ },
956
+ "VpcisolatedSubnet2Subnet39217055": {
957
+ "Type": "AWS::EC2::Subnet",
958
+ "Properties": {
959
+ "AvailabilityZone": {
960
+ "Fn::Select": [
961
+ 1,
962
+ {
963
+ "Fn::GetAZs": ""
964
+ }
965
+ ]
966
+ },
967
+ "CidrBlock": "172.168.64.0/18",
968
+ "MapPublicIpOnLaunch": false,
969
+ "Tags": [
970
+ {
971
+ "Key": "aws-cdk:subnet-name",
972
+ "Value": "isolated"
973
+ },
974
+ {
975
+ "Key": "aws-cdk:subnet-type",
976
+ "Value": "Isolated"
977
+ },
978
+ {
979
+ "Key": "Name",
980
+ "Value": "lamopn-vpc-props/Vpc/isolatedSubnet2"
981
+ }
982
+ ],
983
+ "VpcId": {
984
+ "Ref": "Vpc8378EB38"
985
+ }
986
+ }
987
+ },
988
+ "VpcisolatedSubnet2RouteTable334F9764": {
989
+ "Type": "AWS::EC2::RouteTable",
990
+ "Properties": {
991
+ "Tags": [
992
+ {
993
+ "Key": "Name",
994
+ "Value": "lamopn-vpc-props/Vpc/isolatedSubnet2"
995
+ }
996
+ ],
997
+ "VpcId": {
998
+ "Ref": "Vpc8378EB38"
999
+ }
1000
+ }
1001
+ },
1002
+ "VpcisolatedSubnet2RouteTableAssociation25A4716F": {
1003
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
1004
+ "Properties": {
1005
+ "RouteTableId": {
1006
+ "Ref": "VpcisolatedSubnet2RouteTable334F9764"
1007
+ },
1008
+ "SubnetId": {
1009
+ "Ref": "VpcisolatedSubnet2Subnet39217055"
1010
+ }
1011
+ }
1012
+ },
1013
+ "VpcRestrictDefaultSecurityGroupCustomResourceC73DA2BE": {
1014
+ "Type": "Custom::VpcRestrictDefaultSG",
1015
+ "Properties": {
1016
+ "ServiceToken": {
1017
+ "Fn::GetAtt": [
1018
+ "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E",
1019
+ "Arn"
1020
+ ]
1021
+ },
1022
+ "DefaultSecurityGroupId": {
1023
+ "Fn::GetAtt": [
1024
+ "Vpc8378EB38",
1025
+ "DefaultSecurityGroup"
1026
+ ]
1027
+ },
1028
+ "Account": {
1029
+ "Ref": "AWS::AccountId"
1030
+ }
1031
+ },
1032
+ "UpdateReplacePolicy": "Delete",
1033
+ "DeletionPolicy": "Delete"
1034
+ },
1035
+ "VpcFlowLogIAMRole6A475D41": {
1036
+ "Type": "AWS::IAM::Role",
1037
+ "Properties": {
1038
+ "AssumeRolePolicyDocument": {
1039
+ "Statement": [
1040
+ {
1041
+ "Action": "sts:AssumeRole",
1042
+ "Effect": "Allow",
1043
+ "Principal": {
1044
+ "Service": "vpc-flow-logs.amazonaws.com"
1045
+ }
1046
+ }
1047
+ ],
1048
+ "Version": "2012-10-17"
1049
+ },
1050
+ "Tags": [
1051
+ {
1052
+ "Key": "Name",
1053
+ "Value": "lamopn-vpc-props/Vpc/FlowLog"
1054
+ }
1055
+ ]
1056
+ }
1057
+ },
1058
+ "VpcFlowLogIAMRoleDefaultPolicy406FB995": {
1059
+ "Type": "AWS::IAM::Policy",
1060
+ "Properties": {
1061
+ "PolicyDocument": {
1062
+ "Statement": [
1063
+ {
1064
+ "Action": [
1065
+ "logs:CreateLogStream",
1066
+ "logs:DescribeLogStreams",
1067
+ "logs:PutLogEvents"
1068
+ ],
1069
+ "Effect": "Allow",
1070
+ "Resource": {
1071
+ "Fn::GetAtt": [
1072
+ "VpcFlowLogLogGroup7B5C56B9",
1073
+ "Arn"
1074
+ ]
1075
+ }
1076
+ },
1077
+ {
1078
+ "Action": "iam:PassRole",
1079
+ "Effect": "Allow",
1080
+ "Resource": {
1081
+ "Fn::GetAtt": [
1082
+ "VpcFlowLogIAMRole6A475D41",
1083
+ "Arn"
1084
+ ]
1085
+ }
1086
+ }
1087
+ ],
1088
+ "Version": "2012-10-17"
1089
+ },
1090
+ "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995",
1091
+ "Roles": [
1092
+ {
1093
+ "Ref": "VpcFlowLogIAMRole6A475D41"
1094
+ }
1095
+ ]
1096
+ }
1097
+ },
1098
+ "VpcFlowLogLogGroup7B5C56B9": {
1099
+ "Type": "AWS::Logs::LogGroup",
1100
+ "Properties": {
1101
+ "RetentionInDays": 731,
1102
+ "Tags": [
1103
+ {
1104
+ "Key": "Name",
1105
+ "Value": "lamopn-vpc-props/Vpc/FlowLog"
1106
+ }
1107
+ ]
1108
+ },
1109
+ "UpdateReplacePolicy": "Retain",
1110
+ "DeletionPolicy": "Retain",
1111
+ "Metadata": {
1112
+ "cfn_nag": {
1113
+ "rules_to_suppress": [
1114
+ {
1115
+ "id": "W84",
1116
+ "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
1117
+ }
1118
+ ]
1119
+ }
1120
+ }
1121
+ },
1122
+ "VpcFlowLog8FF33A73": {
1123
+ "Type": "AWS::EC2::FlowLog",
1124
+ "Properties": {
1125
+ "DeliverLogsPermissionArn": {
1126
+ "Fn::GetAtt": [
1127
+ "VpcFlowLogIAMRole6A475D41",
1128
+ "Arn"
1129
+ ]
1130
+ },
1131
+ "LogDestinationType": "cloud-watch-logs",
1132
+ "LogGroupName": {
1133
+ "Ref": "VpcFlowLogLogGroup7B5C56B9"
1134
+ },
1135
+ "ResourceId": {
1136
+ "Ref": "Vpc8378EB38"
1137
+ },
1138
+ "ResourceType": "VPC",
1139
+ "Tags": [
1140
+ {
1141
+ "Key": "Name",
1142
+ "Value": "lamopn-vpc-props/Vpc/FlowLog"
1143
+ }
1144
+ ],
1145
+ "TrafficType": "ALL"
1146
+ }
1147
+ },
1148
+ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0": {
1149
+ "Type": "AWS::IAM::Role",
1150
+ "Properties": {
1151
+ "AssumeRolePolicyDocument": {
1152
+ "Version": "2012-10-17",
1153
+ "Statement": [
1154
+ {
1155
+ "Action": "sts:AssumeRole",
1156
+ "Effect": "Allow",
1157
+ "Principal": {
1158
+ "Service": "lambda.amazonaws.com"
1159
+ }
1160
+ }
1161
+ ]
1162
+ },
1163
+ "ManagedPolicyArns": [
1164
+ {
1165
+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
1166
+ }
1167
+ ],
1168
+ "Policies": [
1169
+ {
1170
+ "PolicyName": "Inline",
1171
+ "PolicyDocument": {
1172
+ "Version": "2012-10-17",
1173
+ "Statement": [
1174
+ {
1175
+ "Effect": "Allow",
1176
+ "Action": [
1177
+ "ec2:AuthorizeSecurityGroupIngress",
1178
+ "ec2:AuthorizeSecurityGroupEgress",
1179
+ "ec2:RevokeSecurityGroupIngress",
1180
+ "ec2:RevokeSecurityGroupEgress"
1181
+ ],
1182
+ "Resource": [
1183
+ {
1184
+ "Fn::Join": [
1185
+ "",
1186
+ [
1187
+ "arn:aws:ec2:us-east-1:",
1188
+ {
1189
+ "Ref": "AWS::AccountId"
1190
+ },
1191
+ ":security-group/",
1192
+ {
1193
+ "Fn::GetAtt": [
1194
+ "Vpc8378EB38",
1195
+ "DefaultSecurityGroup"
1196
+ ]
1197
+ }
1198
+ ]
1199
+ ]
1200
+ }
1201
+ ]
1202
+ }
1203
+ ]
1204
+ }
1205
+ }
1206
+ ]
1207
+ }
1208
+ },
1209
+ "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E": {
1210
+ "Type": "AWS::Lambda::Function",
1211
+ "Properties": {
1212
+ "Code": {
1213
+ "S3Bucket": {
1214
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-us-east-1"
1215
+ },
1216
+ "S3Key": "dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e.zip"
1217
+ },
1218
+ "Timeout": 900,
1219
+ "MemorySize": 128,
1220
+ "Handler": "__entrypoint__.handler",
1221
+ "Role": {
1222
+ "Fn::GetAtt": [
1223
+ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0",
1224
+ "Arn"
1225
+ ]
1226
+ },
1227
+ "Runtime": "nodejs18.x",
1228
+ "Description": "Lambda function for removing all inbound/outbound rules from the VPC default security group"
1229
+ },
1230
+ "DependsOn": [
1231
+ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0"
1232
+ ],
1233
+ "Metadata": {
1234
+ "cfn_nag": {
1235
+ "rules_to_suppress": [
1236
+ {
1237
+ "id": "W58",
1238
+ "reason": "CDK generated custom resource"
1239
+ },
1240
+ {
1241
+ "id": "W89",
1242
+ "reason": "CDK generated custom resource"
1243
+ },
1244
+ {
1245
+ "id": "W92",
1246
+ "reason": "CDK generated custom resource"
1247
+ }
1248
+ ]
1249
+ }
1250
+ }
1251
+ }
1252
+ },
1253
+ "Parameters": {
1254
+ "BootstrapVersion": {
1255
+ "Type": "AWS::SSM::Parameter::Value<String>",
1256
+ "Default": "/cdk-bootstrap/hnb659fds/version",
1257
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
1258
+ }
1259
+ },
1260
+ "Rules": {
1261
+ "CheckBootstrapVersion": {
1262
+ "Assertions": [
1263
+ {
1264
+ "Assert": {
1265
+ "Fn::Not": [
1266
+ {
1267
+ "Fn::Contains": [
1268
+ [
1269
+ "1",
1270
+ "2",
1271
+ "3",
1272
+ "4",
1273
+ "5"
1274
+ ],
1275
+ {
1276
+ "Ref": "BootstrapVersion"
1277
+ }
1278
+ ]
1279
+ }
1280
+ ]
1281
+ },
1282
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
1283
+ }
1284
+ ]
1285
+ }
1286
+ }
1287
+ }